...
AuthN Type Number | Authentication Factor | Resistance to Threat | ||||
---|---|---|---|---|---|---|
Theft (Phishing, etc.) | Theft via Dynamic MITM Phishing | Guessing / Offline Cracking | MFA Device Compromise | User Workstation Compromise | ||
1 | Password | Low | Low | Depends | n/a | Low |
2 | Phone call - See Voice Requirements see Voice Restrictions, note 1 | Low | Low | High | Low | High |
3 | Phone call (VoIP) See see Additional VoIP VoIP Restrictions, note 2 | Low | Low | Medium | Low | High |
4 | SMS | Low | Low | High | Low | High |
5 | SMS (VoIP) See see Additional VoIP restrictions, note 2 | Low | Low | Medium | Low | High |
6 | HOTP cell phone software see notes 1 and 3 | Medium | Low | High | Medium | High |
7 | TOTP cell phone software see notes1 notes 1 and 3 | Medium | Low | High | Medium | High |
8 | HOTP token | Medium | Low | High | High | High |
9 | TOTP token | Medium | Low | High | High | High |
10 | HOTP written (back up codes) | Low | Low | High | High | Low |
11 | DUO Push see note 3 | High | Low | High | Medium | High |
12 | FIDO U2F token with password | High | High | High | High | High |
13 | PKI device certificate with device password | High | High | High | High | Medium |
14 | PKI token certificate with token password | High | High | High | High | High |
...
The Standard MFA Profile that we are developing now focuses on simple passwords no longer being sufficient in a modern world full of phishing threats. The Stronger MFA profile column would be for some future work to support an overall higher LoA, likely coupled with corresponding Identity Proofing requirements. Its It's helpful to see how the two might differ in their technology requirements.
...